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(57) Abstract: A video source 
device generates a session key 
for each transmission session 
wherein a multi-frame video 
content is to be transmitted to 
a video sink device. The video 
source device uses the session 
key to generate a successive 
number of frame keys. The frame 
keys in turn are used to generate 
corresponding pseudo random 
bit sequences for ciphering the 
correspondmg frames to protect the video content from unauthorized copying during transmission. The video sink device practices 
a complementary approach to decipher the received video content In one mbaiiinent, both devices are each provided with an 
integrated block/stream cipher to practice the transmission protection method 
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Digital Video Content Tra nsmission Ciphering And Deciphering 

Method And Apparatus 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

The present invention relates to the field of content protection. More 
specifically, the present invention addresses the provision of protection to digital 
video content to facilitate their secure transmission from a video source device to 
a video sink device. 



2. Background Information 

In general, entertainment, education, art, and so forth (hereinafter 
collectively referred to as "content") packaged in digital form offer higher audio 
and video quality than their analog counterparts. However, content producers, 
especially those in the entertainment industry, are still reluctant in totally 
embracing the digital form. The primary reason being digital contents are 
particularly vulnerable to pirating. As unlike the analog form, where some 
amount quality degradation generally occurs with each copying, a pirated copy of 
digital content is virtually as good as the "gold master". As a result, much efforts 
have been spent by the industry in developing and adopting techniques to 
provide protection to the distribution and rendering of digital content. 

Historically, the communication interface between a video source device 
(such as a personal computer) and a video sink device (such as a monitor) is an 
analog interface. Thus, very little focus has been given to providing protection for 
the transmission between the source and sink devices. With advances in 
integrated circuit and other related technologies, a new type of digital interface 
between video source and sink devices is emerging. The availability of this type 
of new digital interface presents yet another new challenge to protecting digital 
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Figure 5 illustrates the combined block/stream cipher of Fig. 4 in further 
detail, in accordance with one embodiment; 

Figure 6 illustrates the block key section of Fig. 5 in further detail, in 
accordance with one embodiment; 

Figure 7 illustrates the block data section of Fig. 5 in further detail, in 
accordance with one embodiment; and 

Figures 8a-8c illustrate the stream data section of Fig. 5 in further detail, 
in accordance with one embodiment. 

DETAILED DESCRIPTION OF THE INVENTION 

In the following description, various aspects of the present invention will be 
described, and various details will be set forth in order to provide a thorough 
understanding of the present invention. However, it will be apparent to those 
skilled in the art that the present invention may be practiced with only some or all 
aspects of the present invention, and the present invention may be practiced 
without the specific details. In other instances, well known features are omitted or 
simplified in order not to obscure the present invention. 

Various operations will be described as multiple discrete steps performed in 
turn in a manner that is most helpful in understanding the present invention. 
However, the order of description should not be construed as to imply that these 
operations are necessarily performed in the order they are presented, or even 
order dependent. Lastly, repeated usage of the phrase "in one embodiment" does 
not necessarily refer to the same embodiment, although it may. 

Referring now to Figure 1, wherein a block diagram illustrating an 
overview of the present invention, in accordance with one embodiment is shown. 
As illustrated, video source device 102 and video sink device 104 are coupled to 
each other by digital video link 106. Video source device 102 provides video 
content to video sink device 104 through digital video link 106. In accordance 
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203). Upon exchanging the above information, source and sink devices 102 and 
104 independently generate their respective copies of an authentication key (Km) 
using Ak and Bk (block 204 and 205). For the illustrated embodiment, source 
device 102 generates its copy of Km by summing private keys of its provided 
array indexed by Bk, while sink device 104 generates its copy of Km by summing 
private keys of its provided array indexed by Ak. At this time, if both source and 
sink devices 102 and 104 are authorized devices, they both possess and share a 
common secret authentication key Km. 

In one embodiment, each of source and sink devices 102 and 104 is pre- 
provided with an array of 40 56-bit private keys by the certification authority. An 
is a 64-bit random number, and Km is 56-bit long. For more information on the 
above described authentication process, see co-pending U.S. Patent Application, 
serial number 09/275,722, filed on March 24, 1999, entitled Method and 
Apparatus for the Generation of Cryptographic Keys, having common 
inventorship as well as assignee with the present application. 

Having authenticated sink device 104, source device 102 ciphers video 
content into a ciphered form before transmitting the video content to sink device 
104. Source device 102 ciphers the video content employing a symmetric 
ciphering/deciphering process, and using the random number (An) as well as the 
independently generated authentication key (Km) (block 206). Upon receipt of 
the video content in ciphered form, sink device 104 deciphers the ciphered video 
content employing the same symmetric ciphering/deciphering processing, and 
using the provided An as well as its independently generated copy of Km (block 
207). 

In accordance with the present invention, as an integral part of ciphering 
video content, source device 102 derives a set of verification reference values in 
a predetermined manner (block 208). Likewise, as an integral part of 
symmetrically deciphering video content sink device 104 also derives a set of 
verification values in a predetermined manner, and transmits these derived 
verification values to source device 102 (block 209). Upon receiving each of 
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Upon generating the session key Ks, source device 102 generates an 
initial version of a second random number (MO) (block 304). For the illustrated 
embodiment, source device 102 first generates a pseudo random bit sequence 
(at p-bit per clock) using a stream cipher with the above described random 
number An and the session key Ks (in two roles, as another input random 
number and as the stream cipher key), applying C2 clocks. Source device 102 
derives MO from the pseudo random bit sequence, as the bit sequence is 
generated. 

Next, source device 102 generates a frame key (Ki) for the next frame 
(block 306). For the illustrated embodiment, Ki is generated by block ciphering 
an immediately preceding version of the second random number MM using the 
session key Ks as the block cipher key, and applying C3 clocks. That is, for the 
first frame, frame-1 , frame key K1 is generated by block ciphering the above 
described initial version of the second random number M0, using Ks, and 
applying C3 clocks. Additionally, this operation is subsequently repeated at each 
vertical blanking interval for the then next frame, frame-2, frame-3, and so forth. 

Upon generating the frame key Ki, source device 102 generates the 
current version of the second random number (Mi) (block 302). For the 
illustrated embodiment, source device 102 first generates a pseudo random bit 
sequence (at p-bit per clock) using a stream cipher with the previous version of 
the second random number MM and the frame key Ki (in two roles, as another 
input random number and as the stream cipher key), applying C4 clocks. Source 
device 102 derives Mi from the pseudo random bit sequence, as the bit 
sequence is generated. 

Upon generating the current version of the second random number Mi, 
source device 102 again generates a pseudo random bit sequence (at p-bit per 
clock) to cipher the frame (block 308). For the illustrated embodiment, source 
device 102 generates the pseudo random bit sequence using a stream cipher 
with an immediately preceding version of the second random number Mi-1 and 
frame key Ki (in two roles, as another input random number and the stream 
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are 56 clocks in length. Each 64-bit Mi is formed by concatenating the "lower" 
16-bit stream cipher output of each of the last four clocks. 

Accordingly, video content may be advantageously transmitted in ciphered 
form with increased robustness from source device 102 to sink device 104 
through link 106 with reduced pirating risk. 

Figure 4 illustrates video source and sink devices of Fig. 1 in further 
detail, in accordance with one embodiment. As shown, video source and sink 
devices 102 and 104 include interfaces 108a and 108b disposed at the 
respective end of link 106. Each of interfaces 108a and 108b is advantageously 
provided with cipher 110 of the present invention and XOR 112 to practice the 
video content protection method of the present invention as described above. 
Additionally, for ease of explanation, interface 108a is also shown as having 
been provided with a separate random number generator 1 14. Except for 
interfaces 108a and 108b, as stated earlier, video source and sink devices 102 
and 104 are otherwise intended to represent a broad category of these devices 
known in the art. 

Random number generator 114 is used to generate the earlier described 
random number An. Random number generator 114 may be implemented in 
hardware or software, in any one of a number of techniques known in the art. In 
alternate embodiments, as those skilled in the art will appreciate from the 
description to follow, cipher 110 may also used to generate An, without the 
employment of a separate random number generator. 

Cipher 110 is a novel combined block/stream cipher capable of operating 
in either a block mode of operation or a stream mode of operation. To practice 
the video content protection method of the present invention, cipher 110 is used 
in block mode to generate the above described session key Ks and frame keys 
Ki, and in stream mode to generate the pseudo random bit sequences for the 
various frames (and indirectly Mi, as they are derived from the respective bit 
sequences). 
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"intermediate "keys", which are stored away (in storage locations not shown). The 
stored intermediate "keys" are then applied to the ciphered text in reversed order, 
resulting in the deciphering of the ciphered text back into the original plain text. 
Another approach to deciphering the ciphered text will be described after block 
key section 502 and data section 504 have been further described in accordance 
with one embodiment each, referencing Figs. 6-7. 

In stream mode, stream key section 506 is provided with a stream cipher 
key, such as the earlier described session key Ks or frame key Ki. Block key 
section 502 and data section 504 are provided with random numbers, such as 
the earlier described session/frame keys Ks/Ki and the derived random numbers 
Mi-1 . "Rekeying enable" signal is set to an "enabled" state, operatively coupling 
block key section 502 to stream key section 506. Periodically, at predetermined 
intervals, such as the earlier described horizontal blanking intervals, stream key 
section 506 is used to generate one or more data bits to dynamically modify the 
then current state of the random number stored in block data section 502. 
During each clock cycle, in between the predetermined intervals, both random 
numbers stored in block key section 502 and data section 504 are transformed. 
The random number provided to block key section 502 is independently 
transformed, whereas transformation of the random number provided to data 
section 504 is dependent On the transformation being performed in block key 
section 502. Mapping block 506 retrieves a subset each, of the newly 
transformed states of the two random numbers, and reduces them to generate 
one bit of the pseudo random bit sequence. Thus, in a desired number of clock 
cycles, a pseudo random bit sequence of a desired length is generated. 

For the illustrated embodiment, by virtue of the employment of the 
"rekeying enable" signal, stream key section 506 may be left operating even 
during the block mode, as its outputs are effectively discarded by the "rekeying 
enable" signal (set in a "disabled" state). 



11 



WO 01/17251 iw«.jr«^'«---- 

PCT/US00/12785 

' Again, substitution boxes 604 and linear transformation unit 606 may be 
implemented in a variety of ways in accordance with well known cryptographic 
principles. 

In one implementation for the above described embodiment, each register 
602a, 602b, 602c, 702a, 702b, 702c is 28-bit wide. [Whenever registers 602a- 
602c or 702a-702cb collectively initialized with a key value or random number 
less than 84 bits, the less than 84-bit number is initialized to the lower order bit 
positions with the higher order bit positions zero filled.] Additionally, each set of 
substitution boxes 604 or 704 are constituted with seven 4 input by 4 output 
substitution boxes. Each linear transformation unit 606 or 706 produces 56 
output values by combining outputs from eight diffusion networks (each 
producing seven outputs). More specifically, the operation of substitution boxes 
604/704 and linear transformation unit 606/706 are specified by the four tables to 
follow. For substitution boxes 604/704, the Ith input to box J is bit l*7+J of 
register 602a/702a, and output I of box J goes to bit l*7+j of register 602c/702c. 
[Bit 0 is the least significant bit.] For each diffusion network (linear transformation 
unit 606 as well as 706), the inputs are generally labeled 10-16 and the outputs 
are labeled O0-O6. The extra inputs for each diffusion network of the linear 
transformation unit 706 is labeled K0-K6. 
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Tzffie& II & HI - Diffusion networks for linear transformation unit 606/706 
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combiner function 804, coupled to each other as shown. LFSRs 802 are 
collectively initialized with a stream cipher key, e.g. earlier described frame key 
Ki. During operation, the stream cipher key is successively shifted through 
LFSRs 802. Selective outputs are taken from LFSRs 802, and combiner function 
804 is used to combine the selective outputs. In stream mode (under which, 
rekeying is enabled), the combined result is used to dynamically modify a then 
current state of a block cipher key in block key section 502. 

For the illustrated embodiment, four LFSRs of different lengths are 
employed. Three sets of outputs are taken from the four LFSRs. The 
polynomials represented by the LFSR and the bit positions of the three sets of 
LFSR outputs are given by the table to follows: 
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Table V- 



•olynomials of the LFSR and tap positions 



The combined result is generated from the third set of LFSR outputs, 
using the first and second set of LFSR outputs as data and control inputs 
respectively to combiner function 802. The third set of LFSR outputs are 
combined into a single bit. In stream mode (under which, rekeying is enabled), 
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Referring now to back to Figure 5, as illustrated and described earlier, 
mapping function 508 generates the pseudo random bit sequence based on the 
contents of selected registers of block key section 502 and data section 504. In 
one embodiment, where block key section 502 and data section 504 are 
implemented in accordance with the respective embodiments illustrated in Fig. 6- 
7, mapping function 508 generates the pseudo random bit sequence at 24-bit per 
clock based on the contents of registers (Ky and Kz) 602b-602c and (By and Bz) 
702b-702c. More specifically, each of the 24 bits is generated by performing the 
XOR operation on nine terms in accordance with the following formula: 

(B0.K0) © (B1.K1) © (B2.K2) © (B3.K3) © (B4«K4) © (B5.K5) © (B6.K6) 
© B7 © K7 

Where "©" represents a logical XOR function, "•" represents a logical AND 
function, and the input values B and K for the 24 output bits are 
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CLAIMS 

What is claimed is: 

1 . In a video source device, a method comprising: 

generating a session key for a transmission session within which a multi- 
frame video content is to be transmitted to a video sink device; and 

generating a successive number of frame keys, using at least the session 
key, to facilitate ciphering of corresponding frames of the multi-frame video 
content for transmission to the video sink device. 

2. The method of claim 1 , wherein said generating of successive frame keys 
comprises generating at each vertical blanking interval of said multi-frame video 
content, a frame key for ciphering a frame of said multi-frame video content. 

3. The method of claim 2, wherein said method further comprises generating 
a pseudo random bit sequence for each frame, using at least the corresponding 
frame key, for ciphering the particular frame of said multi-frame video content. 

4. The method of claim 3, wherein each of said generating of a pseudo 
random bit sequence using a corresponding frame key comprises successive 
modifications of the corresponding frame key. 

5. The method of claim 4, wherein said successive modifications of the 
corresponding frame key are performed at horizontal blanking intervals of the 
frame. 

6. The method of claim 3, wherein said method further comprises generating 
an initial pseudo random bit sequence using at least the session key, and 
deriving an initial pseudo random number from the initial pseudo random bit 
sequence to be used with a first frame key to generate a first pseudo random bit 
sequence to cipher a first frame. 

7. The method of claim 3, wherein each of said generating of a pseudo 
random bit sequence comprises generating sufficient number of pseudo random 
bits for ciphering a pixel on a bit-wise basis each clock. 

8. In a video source device, a method comprising: 

generating a frame key for each frame of a multi-frame video content; and 
generating a pseudo random bit sequence for each of the corresponding 

frames, using at least the corresponding frame key, for ciphering the video 

content. 

9. The method of claim 8, wherein said generating of a frame key for each 
frame comprises generating one frame key at each vertical blanking interval of 
said multi-frame video content. 



21 



WO 01/17251 



PCT/USOO/22785 



1 7. The apparatus of claim 13, wherein the block cipher comprises a first and 
a second register to store a first and a second value, and a function block 
coupled to the first and second registers to transform the stored first and second 
values, with a selected one of the transformed first and second values being the 
session key or a frame key. 

18. The apparatus of claim 17, wherein the block cipher is an integral part of 
said stream cipher. 

19. In a video sink device, a method comprising: 

generating a session key for a reception session within which a multi- 
frame video content is to be received from a video source device; and 

generating a successive number of frame keys, using at least the session 
key, to facilitate deciphering of corresponding frames of the multi-frame video 
content received from the video source device. 

20. The method of claim 1 9, wherein said generating of successive frame 
keys comprises generating at each vertical blanking interval of said multi-frame 
video content, a frame key for deciphering a frame of said multi-frame video 
content. 

21 . The method of claim 20, wherein said method further comprises 
generating a pseudo random bit sequence for each frame, using at least the 
corresponding frame key, for deciphering the particular frame of said multi-frame 
video content. 

22. The method of claim 21 , wherein each of said generating of a pseudo 
random bit sequence using a corresponding frame key comprises successive 
modifications of the frame key. 

23. The method of claim 22, wherein said successive modifications are 
performed at horizontal blanking intervals of the frame. 

24. The method of claim 21 , wherein said method further comprises 
generating an initial pseudo random bit sequence using at least the session key, 
and deriving an initial pseudo random number from the initial pseudo random bit 
sequence to be used with the first frame key to generate a first pseudo random 
bit sequence to cipher a first frame. 

25. The method of claim 21 , wherein each of said generating of a pseudo 
random bit sequence comprises generating sufficient number of pseudo random 
bits for deciphering a pixel on a bit-wise basis each clock. 

26. In a video sink device, a method comprising: 

generating a frame key for each frame of a multi-frame video content 
received from a video source device; and 
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